2. Agenda
● Identity and Access Management
● Vendor Vs Open Source solutions
● Apache Syncope
3. What's IdM about?
● Data records that contains a collection of
data about a person
– “Data record” → Account
– “A person” → Identity
● The joint effort of business
process and IT to manage user data on
systems and applications.
4. IdM technologies
● Identity Stores
– Storage of user information
● Provisioning
– Synchronize account data across identity
stores and a broad range of data formats,
models, meanings and purposes
● Access Management
– Security mechanisms that take place when a
user is accessing a specific system or
functionality
5. Identity Stores
● Examples
– LDAP / Active Directory
– RDBMS
– Meta and Virtual Directories
● Accounts can be created and managed in
one place only
● Each application manages authentication
separately
– The user may use the same password for all
the connected applications
6. Provisioning
● Keeping the identity stores as
synchronized as possible (and practical)
● Need to be customizable and flexible
● Priority: non-intrusive
● Focused on application back-end
● Communication:
– Connectors
– Agents
8. Access Management
● Mediator to all access to all applications
● Focused on application front-end
● Aspects
– Authentication
● Single SignOn
– Authorization
– Federation (SAML, Liberty, ...)
● Mainly applicable to web applications
● Difficult integration with pre-existing apps
9. Aren't Identity Stores enough?
● Heterogeneity of systems
● Lack of a single source of information
– HR for corporate id, Groupware for mail
address, ...
● Need for a local user database
● Inconsistent policies
● Lack of workflow management
● Hidden infra management cost, growing
with organization size
15. Apache Syncope (incubating)
● Inception by Tirasa in 2010
● Entered ASF incubator in February 2012
● 6 ASF releases made
● Graduation as TLP currently under [VOTE]
● Rising in popularity
– New PPMC members joined
– ~80 mailing list subscribers, noticeable traffic
– Our mentor Colm Ó hÉigeartaigh is these days
introducing Syncope at JAXCON 2012
http://lanyrd.com/2012/w-jax/sxcyz/
16. Syncope: features
● Workflow-based provisioning engine
● Account / Password policies
● Agentless connection
with Identity Stores
● Auditing & Reporting
● Shining admin console
● Customizable and
extensible by design
19. Syncope: attribute mapping
LDAP
User uid: jblack
givenName: John
sn: jblack
User Attributes mail: john.black@apache.org
Username: jblack userpassword: **********
Nickname: jontheblack
Firstname: John employeeNumber: 1432
Surname: Black cn: John Black
Email: john.black@apache.org
Database homeDirectory: /home/jblack
Password: **********
Badge: 1432
accountId: jblack
surname: jblack User Derived Attributes
Fullname: John Black
firstname: John User Virtual Attributes
password: *********
HomeDirectory: /home/jblack
(stored only on external resource)
employeeNumber: 1432
fullname: Jock Black
20. Syncope: connectors
● Based on ConnId, hosted at GoogleCode,
new home of Sun's Identity Connectors
– Ready-to-use bundles:
● LDAP
● Active Directory Provisioning
Engine
● DB Table
● CSV Directory
API
● SOAP Common
Code
Objects
& Utils
SPI
● Google Apps
● UNIX
– Write your own bundle
Using Connectors
24. Syncope: roadmap
● Role provisioning
● SOAP / SCIM interface via CXF
● Access Management features via Shiro
● Concurrent / Asynchronous communication
with external resources
● OpenICF support
26. Syncope: trying it out
● Online http://syncopedemo.tirasa.net
● Virtual Machine image
● Quickstart projects on Github
● New project from Maven Archetype
● Standalone distribution
(soon available)
27. Questions?
All text and image content in this document is licensed under the Creative Commons Attribution-Share Alike 3.0 License
(unless otherwise specified). Apache, Syncope, Apache Syncope, the Apache feather logo, the Apache Syncope project logo
and the Apache Syncope logo are trademarks of The Apache Software Foundation. All other marks mentioned may be
trademarks or registered trademarks of their respective owners.
Editor's Notes
I am 35, Italian, married, one child (3 years old ) and another on his way. I have a tricky surname. My nickname at ASF is ilgrosso, meaning "the big one" because, yeah, I don't wear a size S since I was 10 ;-) At ASF: Member PMC member at Apache Cocoon PPMC member at Apache Syncope
Provisioning systems integrate many different identity stores. Provisioning systems communicate with each application: Connectors are pieces of code running on the side of a provisioning system; non-intrusive, do not requite any installation on the application side. Agents run on the application side; intrusive and require installation (and integration) on the application side; often more efficient
A provisioning system makes an identity out of a sparse set of accounts. So, what a provisioning system does is known as Identity Lifecycle Management. Provisioning systems are then accompanying every relevant change in identity's life (inner circle) and provide specific features (outer circle).